Blocking Azure Virtual Desktop user sessions during large-scale session host deployments with automation

Blocking Azure Virtual Desktop user sessions during large-scale session host deployments with automation

In my recent Azure Virtual Desktop (AVD) automation projects, I’ve been deploying hybrid joined session hosts that are also MDM enrolled into Intune. Through these deployments, I’ve learned that it can take some time for the AVD session hosts to become “compliant”. When an AVD session host becomes available in an AVD host pool and starts allowing user sessions before becoming compliant, users experience a poor experience. They can’t use essential apps like Teams, Outlook, or OneDrive and receive error messages due to non-compliance.

My issue with default AVD Agent Deployment

By default, Azure Virtual Desktop allows user sessions immediately after the AVD agent is deployed via Virtual Machine extensions. In our automation processes, we redeploy many session hosts every month after Patch Tuesday using a blue-green strategy to ensure all our session hosts are patched. During a large-scale redeployment of over 150 AVD session hosts with Terraform, I noticed that the AVD agent installation makes the session hosts available and ready to accept new user sessions right away.

A full deployment of around 250 VMs with Terraform can take over an hour since it handles 10 parallel VM creations simultaneously (default). This means that as long as the Terraform deployment is running, the initial session host VMs created in the first minutes of the process allows AVD user sessions for more than an hour until the next pipeline step, “manage drain mode of noncompliant VMs”, is executed. This delay results in non-compliant VMs being accessible to users, which is far from ideal.

A Workaround: Disabling the Azure Virtual Desktop Agent During Deployment

Given the time it takes for hybrid joined session hosts to become compliant, I sought more control over user session allowance for newly redeployed hybrid joined AVD session hosts. The goal was to only allow user sessions once the session host is compliant.

To address this, I developed a workaround for my Terraform deployment. This workaround involves provisioning an Azure Virtual Machine Extension that stops the Azure Virtual Desktop agent service. By doing this, Terraform installs the Virtual Machine extension during deployment, and the session host is marked as unavailable, thus preventing user sessions. This solution can also be applied to Bicep deployments involving a large number of session host VMs.

By implementing this workaround, we can ensure that users only access compliant AVD session hosts, providing a better and more reliable user experience.

#Stop RDAgentBootLoader service after deployment to prevent new user sessions
resource "azurerm_virtual_machine_extension" "stop_RDAgentBootLoader_service" {
  count                      = var.amountofmachines[terraform.workspace]
  name                       = "stop_RDAgentBootLoader_service_at_deployment${format("%04d", count.index + 1)}"
  virtual_machine_id         = azurerm_windows_virtual_machine.sessionhostvms.*.id[count.index]
  publisher = "Microsoft.Compute"
  type = "CustomScriptExtension"
  type_handler_version = "1.10"
  settings = <<SETTINGS
    {
      "commandToExecute": "powershell -ExecutionPolicy Unrestricted -Command \"Stop-Service -Name RDAgentBootLoader -Force\""
    }
  SETTINGS

  depends_on = [azurerm_virtual_machine_extension.avd_agent]

  lifecycle {
    ignore_changes = [settings]
  }
}